| DataFort:
organisations and disasters Posted:
16 April 2003
Disaster! It’s a sudden, unplanned calamitous event that
brings great loss. Usually it creates panic and the inability on
an organisation to support critical business functions, and ends
up with the dismissal of executive management.
Disasters can be due to storms, outages, malicious code, power
issues, disgruntled employees, political events, or even terrorism.
Business Continuity Planning is a strategy to minimise the effect
of disturbances and allow for the resumption of business processes.
Disaster Recovery Planning is a comprehensive statement of procedures
for responding to an emergency and providing extended backup operations
during the interruptions.
In the old security schools, Business Continuity Planning (BCP)
and Disaster Recovery Planning (DRP) were considered separately.
This is still a common mistake in many organisations today.
BCP designs the framework that helps organisations recover critical
business functions while DRP is the step-by-step procedure which
an organisation follows during a disaster. Today, both are interrelated
and are thought of as one concept.
The Evolution of BCP and DRP
Organisations have begun to adopt comprehensive, enterprise-wide
approaches to continuity planning. The purposes are clear:
- Continuity of critical business processes
- Increasing dependence on the Internet
- Requirements for facility recovery
- Decreasing maximum acceptable outage time frame.
One of the main functions of the DRP is the Business Impact Analysis
(BIA). BIA is a functional analysis that identifies the impacts
should an outage occur.
The main objective of the BIA process is management understanding
the impact of possible threats on corporate business functions.
Management of any organisation must calculate the Maximum Tolerable
Downtime (MTD) and Recovery Time Objectives (RTO). The MTD might
vary from 30 days for non-essential applications to minutes and
hours for mission critical applications.
There are five categories for the recovery process:
1 | Business Recovery
critical resources and the MTD for each business.
2 | Facility Recovery
main building and remote buildings.
3 | User Recovery
manual procedures, critical documentation and forms, employee transportation,
etc.
4 | Technical and Operational Recovery
restoration process execution for all IT functions (most crucial
category for any IT based organisation).
5 | Data Recovery
recovery of information and data through backup, electronic vaulting,
online tape vaulting, database shadowing, etc.
Through these five categories, plus awareness and training programs,
organisations can guarantee to minimise disaster impact.
Common Mistakes of Organisations
Most companies fall into the same mistake and select one of their
remote sites or branches as a disaster recovery center. When a disaster
occurs in a company, business and operational functions are affected.
A successful disaster recovery plan, reducing the MTD and meeting
the RTO, requires a center which is attended, fully redundant, accessible
within one hour, and with updated technology.
Another mistake most companies fall into is in the vendor selection
process. Most vendors forget the fact that DRP is about processes
and not products only. There are few good companies in the region
with the capability to understand the requirements of the customer,
develop a good plan, analyze the business processes and perform
drills. The vendor which will develop the DRP needs unrestricted
access to a Datacenter, security consultants, technology implementers,
and business analysts. Without all of these elements, the company
is buying a box which will be only another node in the network.
Knowing that disasters do happen, it’s time for all organisations
to evaluate their data and stop thinking that we live in an ideal
world where no harm can be done to our IT resources, intellectual
properties, or even premises. Alternative sites can become the Noah’s
Ark for those who want to survive drowning in the sea of service
interruptions.
Sabri Al-Azazi, CISSP
For more information see www.datafort.net
or e-mail info@datafort.net.
Posted by Richard Price,
Editor Pipeline Magazine
Information supplied by companies
or PR agencies who are responsible for content. Send press releases
to info@pipelinedubai.com |
